Vulnerability Acknowledgements for Red Hat online services

Red Hat would like to thank the following individuals and organisations that have privately reported security issues that affected Red Hat branded websites or online services and agreed to be listed.

To report an issue in any Red Hat branded website or online service please contact site-security@redhat.com. Red Hat Information Security, in its sole discretion, will make the final decision about granting, refusing, and publishing credits, as well as their form and content, and applying the rules listed below. Please allow a reasonable time (1-2 business days) for a response after reporting.

We will refuse credits where researchers breach the rules below or do not otherwise behave responsibly and ethically:

Reports we do not class as security issues are not eligible for an acknowledgement on this page; these include but are not limited to:

Directory Listings and FTP sites. Our products are based on open source components and we make certain content available using directory listings and via anonymous FTP. Please only report these if you find (what can reasonably be assessed as) non-public content being exposed

Version Numbers. We do not hide the version numbers of online service components and you should expect these will not be the latest upstream versions.

Reports from automated tools or scanners without manual verification and analysis

Theoretical attacks without proof of exploitability

Brute force attacks (e.g. on passwords or tokens)

Attacks involving any user accounts not created by you

Attacks involving physical access to a user's device, or involving a device or network that is already compromised

Missing security headers that do not lead directly to a vulnerability

Clickjacking

Cookies missing secure or HttpOnly flags

Bugs that rely on an unlikely user interaction

Issues that are the result of a user deliberately performing an insecure action (like sharing their password or API tokens publicly)

Social engineering of Red Hat staff or users

Issues related to password and account recovery processes

Some Red Hat branded services are operated by third parties. If you notify us about security issues on such sites we will coordinate fixes with the affected vendors and acknowledgements maybe given by those vendors or under their rules.

Some security issues may be due to underlying vulnerabilities in third-party applications that we use. In these cases we will coordinate fixes with the application vendor and acknowledgements maybe given by those vendors or on our CVE dictionary pages.

We expect you to make a good faith effort to avoid privacy violations, destruction of data, or degradation to our service during your research. Please avoid using tools that are likely to automatically generate significant volumes of traffic or otherwise cause operational problems for our sites.

Formatting Tips

Request Japanese Translation

Are you sure you want to request a translation?
We appreciate your interest in having Red Hat content localized to your language. Please note that excessive use of this feature could cause delays in getting specific content you are interested in translated.